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Abstract — Many operations in power grids, such as fault 
detection and event location estimation, depend on precise timing 
information. In this paper, a novel Time Synchronization Attack 
(TSA) is proposed to attack the timing information in smart 
grid. Since many applications in smart grid utilize synchronous 
measurements and most of the measurement devices are equipped 
with global positioning system (GPS) for precise timing, it is 
highly probable to attack the measurement system by spoofing 
the GPS. The effectiveness of TSA is demonstrated for three 
applications of phasor measurement unit (PMU) in smart grid, 
namely transmission line fault detection, voltage stability moni- 
toring and event locationing. The validity of TSA is demonstrated 
by numerical simulations. 

Index Terms — Time Synchronization Attack, Synchronized 
Monitoring, GPS spoofing. Smart Grid 



I. Introduction 

The research interest in smart grid LIQJ has been growing 
in recent years. As one of the key components in smart grid, 
wide area monitoring systems (WAMSs) ["25l have received 
tremendous attention. The reliability of the smart grid system 
relies on the operation of WAMSs, since the operations of 
smart grid demand the real-time status of system provided by 
WAMSs. 

WAMSs are typically constructed in a centralized manner. 
The monitoring devices are placed throughout the entire smart 
grid system, and they convey their measurement data to the 
control center by certain communication infrastructure, such 
as wireless network and optical fiber network. The control 
center implements the analysis on these measurement data, 
and corresponding control decisions will be made to maintain 
the normal operation of smart grid. Note that supervisory 
control and data acquisition (SCADA) systems LIS J have been 
applied for maintaining the reliability of the power grid control 
systems. However, SCADA mostly deals with random failures 
in the system, instead of malicious attacks. 

The security of WAMSs is one of the key issues in smart 
grid technology, since errors of monitoring measurements 
introduced by malicious attackers will cause wrong control 
decisions, which may lead to a catastrophe like blackout 
1231 . II2II proposed a security strategy against denial-of- service 
(DoS) attack which focuses on the cyber security of the 
communication infrastrcuture. Meanwhile, malicious attack 
against measurement data, namely false data injection attack 
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National Science Foundation under grants ECCS-0901425. 
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Fig. 1: Illustration of time synchronized monitoring in smart 
grid with GPS spoofer 



(FDIA) has been studied in |[T2l lEI CSl. By launching 
FDIA, malicious attackers can manipulate the system state 
variables by modifying the measurements at a set of selected 
monitoring devices. FDIA can mislead the control center to 
have an incorrect evaluation on the system operation status; 
consequently wrong control decisions will be made. 

To launch FDIA successfully, malicious attackers need to 
have full knowledge of the power gird network such that a 
systematic false measurements can be generated to bypass the 
bad measurement detection |[T3ll . However, it is very difficult 
for attackers to obtain the full knowledge of the power grid 
network infrastructure which can only be accessed by the 
power system operator. In addition, FDIA requires physical 
accesses to several selected monitoring devices in order to 
inject the false measurement data. This is another difficulty in 
practice, since those monitoring devices are typically placed 
at locations with physical security protection. 

In this paper, we identify a potential attack to WAMSs in 
smart Grid, coined time synchronization attack (TSA). Note 
that monitoring devices are distributed throughout the entire 
power grid network, whose measurements data are fed back 
to the control center with various transmission delays. To 
obtain an accurate system operation status, the control center 
needs to align all collected measurements in the time domain, 
which is called time synchronized monitoring [6|. Since global 
positioning system (GPS) signal is highly accurate and stable 
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for timing without any extra communication infrastructure, 
GPS based time synchronization monitoring devices have been 
vastly deployed in smart grid monitoring system. Figure [T] 
illustrates time synchronized monitoring in smart grid. There 
are n time synchronized measuring devices (TSMD) installed 
throughout the entire smart grid system, and each of them is 
equipped with a GPS signal receiver. Note that TSMD is a 
general conception, which could be any measurement devices 
requiring time synchronization, e.g. phase measurement units 
(PMU). The grid operation state parameters, such as frequency 
and voltage, are sampled periodically and the sampling is 
triggered by the GPS timing signal from the GPS receiver. To 
cope with the different data transmission delays of different 
measurements, it is necessary to attach the time values at 
which the measurements are sampled. This procedure is simi- 
lar to posting a stamp to the measurements (hence called time 
stamp). The control center aligns the collected measurements 
according to their time stamps, and analyzes the system state 
for future control actions. 

By applying GPS timing as the grid-wide sampling ref- 
erence time, all TSMDs in the smart grid sample the ob- 
servations in a synchronous manner. However, a malicious 
attacker can modify the sampling time by introducing a forged 
GPS signal (91. There are several studies that have identi- 
fied the possibility of spoofing GPS receivers [l9l [[T9l [l22l. 
Furthermore, a realworld GPS spoofing attack was reported 
recently ||71, which demonstrated the vulnerability of GPS 
signals. Note that the malicious attacker does not need to 
hack into the monitoring system or have physical contact to 
the TSMDs. In addition, it is difficult to locate the malicious 
attacker since it can transmit the GPS spoofing signal as it 
moves around the target TSMD. As illustrated in Figure [T] 
the malicious attacker launches a TSA to one of the TSMDs 
by transmitting counterfeit GPS signal, in which the timing 
has been modified. The target TSMD will do sampling at a 
wrong time. Consequently, the measurements with false time 
stamps are conveyed to the control center. The control center 
will therefore misalign the measurements and will obtain an 
incorrect system state. Although there is some data processing 
procedure to handle the measurements, most current process- 
ing schemes only consider the measurement error caused by 
noise or packet loss; therefore, TSA can easily bypass a simple 
countermeasure scheme such as smoothing filtering. 

Motivated by the security requirement of smart grid, in this 
paper, the impacts of TSA will be identified and the severeness 
of TSA will also be analyzed. Specifically, we study TSA 
in three applications of PMU, namely transmission line fault 
detection/locationing, voltage stability monitoring and event 
locationing. Moreover, TSA is not constrained to only PMU 
applications. There exist potential TSA opportunities in any 
monitoring system requiring time synchronization. Simulation 
results will demonstrate that TSA can effectively deteriorate 
the performance of these applications and may even result in 
false operations in power system. 

The remainder of this paper is organized as follows. Section 
ini provides the GPS spoofing attack model. Section Hill studies 
the impacts of TSA on transmission line fault detection and 
fault localization. The TSA damage analysis and correspond- 



ing simulation result of the voltage monitoring algorithm are 
presented in Section HV] And Section |V] presents the study 
of TSA in the task of regional perturbation event location. 
Conclusions and future work are provided in Section |Vl] 

II. GPS Signal Receiving And Attack Model 

In this section, we briefly introduce the GPS signal recep- 
tion processing. Then we propose the attack model for GPS 
spoofing and TSA. 
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Fig. 2: Subframe-1 structure 



A. Introduction of GPS Signal Receiving 

The precise timing information from GPS signals includes 
two parts: one is embedded in the navigation messages de- 
modulated from the received GPS signals, whose precision 
is in the order of seconds; the other part is the precise 
signal propagation time from the GPS satellite to the receiver, 
which has the precision of millisecond for civilian users. The 
timing information with precision of second is located in 
subframe 1, whose frame structure |i4J is illustrated in Figure 
[21 where "TLM" is the telemetry data severing as preamble, 
and "HOW" provides the GPS time-of-week (TOW) modulo 
6 seconds corresponding to the leading edge of the following 
subframe. Therefore, with TOW and GPS week number, we 
can obtain the date and the time with the precision of second. 
To obtain a more precise time value, we need to calculate 
the propagation time of the GPS signal from the satellite to 
the GPS receiver. Therefore, users in different locations can 
be synchronized by exploiting the GPS precise timing infor- 
mation as a time reference. The system-wide synchronization 
time reference is referred to the coordinated universal time 
(UTC) tuTC disseminated by GPS, which is given by 



tuTC = tr 



tr) 



At 



UTC- 



(1) 



where trcv and tp denote the receiver clock time and propaga- 
tion time for the GPS signal, respectively; and Aturc denotes 
the time corrections provided by the GPS ground controllers . 
To obtain the navigation message, we need to demodulate 
the GPS signal. A typical GPS signal reception processing 
is illustrated in Figure [3] 

The received standard positioning service (SPS) GPS signal 
r{t) is given by 

32 

k=l 

(2) 

where and Pc are the channel matrix for the k-th satellite 
and the signal power, respectively; Ck{t) and Dk{t) are the 
spread spectrum sequence (C/A code) and the navigation 
message data from the k-th satellite, respectively; /li and Af^ 
are the carrier frequency for civilian GPS signal and doppler 
frequency shift for the k-th satellite, respectively; and n{t) is 
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Fig. 3: Diagram of GPS signal receiving processing 
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Fig. 4: Comparison of the correlation peak under normal and 
spoofing attack reception conditions. 



noise. As illustrated in Figure [3] the signal processing includes 
two major steps, namely acquisition and tracking. From (|2]l, 
we can observe that the key processing for acquisition is 
to search for the code phase of the received C/A code and 
doppler frequency shift 5fk- By multiplying the C/A code 
of identical code phase and the carrier of identical frequency 
with the received GPS signal, the navigation message can be 
demodulated coherently yj. 

B. Attack model 

To spoof a GPS receiver, the GPS receiver needs to be 
misled to acquire the fake GPS signal instead of the true one. 
Since the acquisition is implemented by searching for the high- 
est correlation peak in the code-phase-carrier-frequency two 
dimensional space, intuitively, the signal with higher signal-to- 
noise-ratio (SNR) will have a higher correlation peak, which 
is illustrated in Figure IH Therefore, there exists a two-step 
spoofing strategy. In the first step, the spoof er launches certain 
interference which causes the GPS receiver to lose track. In the 
second step, it launches the spoofing GPS signal when the GPS 
receiver carries out the acquisition processing. Consequently, 
the GPS receiver will track the counterfeit GPS signal due to 
its higher correlation peak, since the counterfeit GPS signal 
has a higher SNR. 

Alternatively, the attacker can scan the two-dimensional 
space of code phase and carrier frequency until the fake 
correlation peak overlaps the true correlation peak, which 
is illustrated in Figure |5] The first stage is correlation peak 




Fig. 6: Model for long transmission line model with fault 



scanning, in which attacker launches the fake correlation peak 
close to the true correlation peak and moves slowly towards 
the true correlation peak. Note that it is not difficult for 
the malicious attacker to estimate the location of the target 
GPS receiver, such that it can obtain the information of the 
true correlation peak by inducing from its own GPS receiver. 
Therefore, the attacker does not need to implement blind 
search on the entire two-dimensional space of code phase 
and carrier frequency. In the second stage, the fake correlation 
peak moves to the position in which the fake correlation peak 
overlaps the true one. The GPS receiver will be captured by 
the counterfeit signal and locked to the fake correlation peak, 
since it has a higher SNR. In the third stage, the attacker will 
move the fake correlation peak slowly to the desired point. 
At this time, the true correlation peak will be considered as 
noise. 

III. TSA IN Transmission Line Fault detection and 
Fault Localization 

In this section, we study the impact of TSA on transmission 
line fault detection and localization. Since a fault of a single 
transmission line may trigger cascading failures spreading 
within the entire power grid system, it requires quick and 
accurate locationing of the fault in a wide power grid area. 
One conventional method is to detect and localize the fault 
by utilizing local voltage and current measurements. For im- 
proving the accuracy and locationing speed, many researchers 
proposed to utilize measurements at both ends of transmission 
line II20I ifTTIl ifTSll . These measurements are attached with 
sampling time which is obtained from its GPS signal receiver; 
therefore TSA can affect the fault detection and localization of 
transmission lines. In this section, we will first briefly review 
the fault detection and location in transmission line. Then, the 
impact of TSA on the transmission line fault detection and 
location will be analyzed. Simulations results will be provided 
at the end of this section. 

A. Fault Detection and Fault Localization for Long Transmis- 
sion Line 

The model of long transmission line with fault |[T| ifTTI is 
shown in Figure [S] Suppose that the total length of transmis- 
sion line is L, and F is the fault location. As is shown in 
Figure [6l the fault point F divides the whole transmission 
line into two sections, which include line section SF and line 
section FR. The transmission line sections SF and FR can 
still be considered as two perfect transmission lines. We define 
the fault location index D G [0, 1] such that the distance from 
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Fig. 5: Spoof the GPS receiver by a three-stage attack. 



the fault location F to the receiving end R is DL. On both 
sides of the fault point, the transmission line is represented by 
an equivalent tt circuit |81. On the transmission line section 
SF, the sending end voltage of the equivalent tt circuit Vs is 
given by 



YsF and YpR are given by 



Vs 



(3) 



where Vp and Ip are the voltage and the current at the fault 
location, respectively; Zsf and Ysf are the equivalent series 
arm impedances and the equivalent shunt arms admittances of 
transmission line section SF, respectively. Similarly, in the 
transmission line section FR, the sending end voltage of the 
equivalent tt circuit Vp is given by 



(4) 



where Vr and Ir are the voltage and the current at the 
receiving end of the transmission line, respectively; ZpR 
and YpR are the equivalent series arm impedances and the 
equivalent shunt arms admittances of transmission line section 
FR, respectively. The equivalent series arm impedances Zsf 
and ZpR are given by 



Z' 



FR 



Zsf 



Zfr 



sinh(7(l - D)L) 
sinh(7DL) 



with 



Zsf = (l-D)Lz 
Zfr = DLz 

7 = 



(5) 
(6) 



(7) 
(8) 
(9) 



where Zsf and Zfr are the total series impedance of the 
line sections SF and FR, respectively; z and y are the unit 
line impedance and admittance, respectively; and 7 is called 
the attenuation constant. The equivalent shunt arms admittance 



V' — 



^FR 



Yfr 



2 

tanh(^) 

2 



with 



Ysf 
Yfr 



(1 - D)Ly 
DLy 



(10) 
(11) 



(12) 
(13) 



where Ys f and Yfr are the shunt arms admittance of the line 
section SF and FR, respectively. 

When fault occurs, the voltages Vf at the fault location cal- 
culated from © and © are identical [iTTl . Thus, substituting 
dH into ([3]), the fault location index D can be estimated as 



ln(7V/M) 



where 



M 



N 



Vs + ZJs 



Vr - Zr h 



27L 

exp(-7L) 
Vs - ZJs 



Vr + ZJr 



exp(7L) 



(14) 

(15) 
(16) 



2 2 

where Zc = \/ zxjyx is the characteristic impedance of 
transmission line. Furthermore, it can be observed from (IT5l) 
and ([T6l) that, if there is no fault, the computed absolute values 
of M and are all held at zero. Therefore, M and can 
also be utilized as fault indicators ifTTIl . 

In practice, PMUs are installed at both ends of the transmis- 
sion line to obtain Vs, Vr, Is, and Ir. These measurements 
will be conveyed to the control center along with their time 
stamps. Control center will exploit the time stamps of these 
measurements for alignment such that the indicators and 
M can be calculated in terms of the measurements sampled 
from at the same time. In the next subsection, we will analyze 
how TSA affects the transmission line fault detection and fault 
location. 
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B. Analysis of Impact 

In this subsection, we analyze the impact of TSA on the 
transmission Hne fault detection and location. The transmission 
line fault detection and location is based on the PMUs installed 
on both ends of the transmission line. It should be noted that 
the measurements Vs, Vr, Is, and Ir have complex values. 
When TSA is launched toward target PMUs, the time stamps 
on these measurements will be modified, which is equivalent 
to modifying the phase angle of these measurements. The 
phase angle errors resulted from TSA at the sending PMU and 
receiving PMU are denoted by AOs and AOr, respectively. 
And the measurements Vs, Vr, Is, and Ir affected by TSA 
are denoted as Vs, Vr, Is, and Ir, which are given by 



Vs 
Vr 
Is 
Ir 



\Vs\expj{Ovs - 
Vsexp{jAes) 
\VR\expj{Ovj, - 
VRex.p{jAeR) 
\Is\expj{Ois -i 
Isexp{jAes) 
\lR\expj{Oi^ ^ 
/i?exp(jA6>i?) 



-AOs) 
-AOr) 
AOs) 
AOr) 



(17) 
(18) 
(19) 
(20) 



To analyze the impact of TSA on the transmission line fault 
detection, we substitute (fT7t-(l20b into (fT5] ) and (fT6l ) and then 
obtain 

Vs + ZJs 



M = 



N 



•exp(-7L)exp(jA6's) 



Vr + ZcIr 
2 

ZJr 



(21) 



Vr 



exp(jA0R) 



Vs - ZJs 



exp(7L)exp(jA6's). (22) 



The impacts of TSA on the line fault detection indicators M 
and A'' are equivalent to adding amplitude modulations. The 
error of line fault location due to TSA is given by 



AD 



D - Dtsa 
1 NM 



B){C + De) 
D){A + Be) 



with 



A 
B 
C 
D 



Vr - ZJr 

-{Vs-ZJs)exv{lL) 

-{Vr + ZJr) 

{Vs + ZJs) exp(-7L) 

exp(i(A6'ij - Ms)) = exp{jAe), 



(23) 



(24) 
(25) 
(26) 
(27) 
(28) 



where A^ denotes the asynchronisim of the phase angles of 
the measurements between the sending end and the receiving 
end caused by TSA. In the next subsection, the simulation 
results will show that the attacker can obtain the maximum 



TABLE I: Simulation settings for transmission line fault 
ittion 
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Fig. 7: Simulation model for transmission line fault detection 
and location 



line fault location error by launching TSA jointly on both the 
sending and receiving ends simultaneously. 

C. Simulation results of TSA on transmission line fault detec- 
tion and location 

In this section, simulations have been conducted to evaluate 
the impacts of TSA on the transmission line fault detection and 
fault location. The simulation model for transmission line is 
shown in Figure Ul The parameters used for the transmission 
line are listed in Table Jl which are the same as those in EOl . 

Firstly, we study the impact on the fault indicator. Figure 
[8] shows the TSA impacts on the fault indicators M and N 
when various AOs and AOr are applied for TSA. From (fTSl l 
and ([T6l) , M and N should both hold on zeros, when there is 
no transmission line fault. However, when malicious attackers 
launch TSA cooperatively on both the sending and receiving 
ends of the transmission line, the attackers can modify the fault 
indicator value. Consequently, TSA may trigger false alarm at 
the control center. 

We simulate the scenario when there is a three-phase 
grounded transmission line fault. Figure [9] demonstrates the 
TSA impact on the transmission line fault location. We 
simulate various scenarios in which the line fault occurs in 
different locations. From Figure [9] we observe that TSA 
can produce fault location error as large as 180km. Notice 
that it is important to locate the fault accurately in a short 
time; otherwise, the local line fault may lead to network- 
wide cascading fault. Therefor the error caused by TSA will 
severely affect the system-wide reliability of smart grid. 

Figure [TOl demonstrates the TSA impacts on various types of 
transmission line faults. It is observed from Figure [TO]that TSA 
has different impact patterns for different types of transmission 
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Fig. 9: Impacts of TSA on transmission line fault location 



line faults. However, the malicious attacker can always launch 
a TSA causing the maximal error to the transmission line fault 
location by cooperatively attacking the sending and receiving 
ends. 



IV. TSA IN Voltage Stability Monitoring 

Voltage stability monitoring is one of the key tasks in smart 
grid. One commonly used method to evaluate the voltage 
stability is to apply T-equivalent and Thevenin equivalent 
circuit to set up a simplified model for power system [fT4l . 
The key idea is to apply GPS based synchronized PMU to 
monitor the voltage and current in order to obtain the voltage 
stability indicators. In this section, we study the impact of 
TSA on the voltage stability monitoring. 



A. Model of Voltage Stability Monitoring 

The simplified power system modeling for voltage stability 
monitoring includes two key stages. The first stage is to calcu- 
late the parameters of a T-equivalent of the actual transmission 
corridor with the GPS based synchronized measurements [IT4l . 
Figure [TT] illustrates the T-equivalent circuit. 

In the T-equivalent circuit, the whole network is divided 
into three parts: generation source Eg with impedance Zg, 



transmission network and local load. The available mea- 
surements include local measurements Vr, Ir, and remote 
measurements Vs, Is which are associated with the generation 
source and the transmission network. These measurements can 
be sampled by PMU and be conveyed to the control center 
along with their time stamps. The control center aligns these 
measurements according to their time stamps and obtains the 
system operation parameters Zt, Zgh and Zl, which can be 
estimated as follows: 

Vs-Vr 



Zt = 2- 



Zsh 



VsIr + VrIs 



Vr 

Ir' 



4-4 



(29) 
(30) 
(31) 



The complex valued generator voltage Eg and its equivalent 
impedance Zg cannot be estimated simultaneously. However, 
in practical cases, Zg is assumed to be known by the charac- 
teristics of the step-up transformers and the transmission line. 
Thus, the equivalent complex voltage of the generators is given 
by 



Eg = Vs+IsZg. 



(32) 



After calculating the parameters of the T-equivalent circuit, 
the Thevenin equivalent circuit is applied to further simplify 
the power system model. Eth and Zth are associated with the 
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following equation: 



(33) 



where Eth and Zth are the equivalent voltage source and 
the equivalent source impedance in the Thevenin equivalent 
circuit, which can be calculated by the parameters of the T- 
equivalent circuit: 

Zth + Zl 



th 



Zth 



Vr- 

Zj" 



(34) 



(35) 



When there are transmission lines tripped, the system volt- 
age will become unstable. If the malfunction is not repaired 
in time, the entire system will eventually collapse. With the 
Thevenin equivalent circuit, two important stability margins 
can be obtained lfT4ll . The first indicator is associated with 
load impedance, which is given by 



MARGINz = 100(1 - A^crit), 



where 



^th 



(36) 



(37) 



Assuming that the type of load is constant power consumer, 
we define a scale factor k which is used to model the change 
in the load impedance. We can set = /cZ^o, where Z^o 
represents the value of load impedance. The transfer power is 
given by 

Eth 



LO 



Hh 



(38) 



Substituting k = kcrit into (1381) , we can obtain the maximum 
possible power transfer, which is given by 

2\ 



kcrit Zlo 



E, 



th 



^th 



tZLO 



(39) 



The second indicator is associated with the active power 
delivered to the load bus, which is given by 

Pl, if Zl> Zth 
if Zl > Zth ' 



MARGINp 



/ Phn 

I 0^ 



(40) 



B. Analysis of Impact 

TSA affects the time stamps of the monitoring measure- 
ments similarly to the analysis in ([T7])-(l2Ql). It will modify the 
local and remote monitoring measurements by modifying their 
phase angles. It can be observed that all the voltage stability 
monitoring indicators are based on the T-equivalent parameters 
Zt, Zsh, and Zl. Under TSA, these three parameters are 
modified to 

Vsexp{jAOs) - VRexp{jAeR) 



Zrp 



^'sh — 



Z'l = 



(41) 

Is exp{jA0s) + Ir exp(j A6'fi) 

{VsIr + VrIs) 

J2 exp(i2A^fi) - J| exp(j2A^s) 
x(expi(A^s + A^fi)) (42) 
Vr expiJAOR) 



Ir exp(jA6'fi) 



= Zl. 



(43) 















Load 















Fig. 12: Simulation model for voltage stability 



It can be observed that the TSA affects both Zt and Zsh- 
Furthermore, it concerns the Thevenin equivalent circuit pa- 
rameters Zth and Eth- Since Zth depends on the calcula- 
tion result of the T-equivalent parameters Zt and Zsh, the 
Thevenin equivalent impedance will be substantially affected 
by TSA. Consequently, TSA affects the entire calculation of 
the indicators of voltage stability monitoring. In the next sub- 
section, simulation results will demonstrate the TSA impacts. 



C. Simulations of Voltage Stability Monitoring under TSA 

The simulation model for voltage stability monitoring is 
shown in Fig. [121 The root mean square amplitude of source 
voltage dynamically changes with frequency IHz. The load 
has constant power comsuption. There are three transmission 
lines. A type phase ABC short-circuit fault occurs on transmis- 
sion line 1 between 2 seconds and 2.5 seconds. Transmission 
lines 1 and 2 are tripped at time 4 seconds and 6 seconds. 

It should be noted that the voltage stability indicators 
are calculated based on Zt and Zgh- Figure \T3\ shows the 
impacts of TSA on the calculation of the T-equivalent circuit 
parameters Zt and Zgh- Without TSA, there are two sharp 
steps in Zt, which are due to the line trippings. However, 
TSA makes these obvious line tripping symptoms ambiguous. 
The impact of TSA on the T-equivalent circuit parameters can 
be considered as having amplitude modulations upon Zt and 

Zsh- 

The further impact of TSA on the Thevenin equivalent 
circuit parameters calculation is shown in Figure It can 
be observed from Figure [TH that TSA has a significant impact 
on the Thevenin equivalent impedance Zth and the phase of 
the Thevenin equivalent voltage source Eth- The impacts of 
TSA are similar to those in the T-equivalent circuit, which 
have amplitude modulations on the parameters. 

The impacts of TSA on voltage stability indicators are 
demonstrated in Fig. [151 with different attack strategies. It can 
be observed that the margin of active delivered power has been 
greatly reduced due to the TSA, which misleads the system 
to implement wrong actions of voltage stabilization. 

V. TSA IN Regional Disturbing Event Location 

In this section, we identify the impact of TSA on regional 
disturbing event location in smart grid. One of the important 
tasks in smart grid is to locate the disturbing event in smart 
grid in a short time, and consequent isolation will be im- 
plemented to prevent cascading failure from spreading to the 
entire power network. The disturbing event location is based 
on the time of arrival (TOA) algorithm [|24L which requires 
accurate event arrival time. Therefore, TSA has a significant 
impact on the regional disturbing event location. 
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Fig. 14: Impacts of TSA on the parameters calculation in Thevenin equivalent circuit with different attack strategy 
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Fig. 13: Impacts of TSA on the parameters calculation in T- pig. 15: TSA impacts on the voltage stability indicators 
equivalent circuit with different attack strategies 
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A. Principle of Regional Disturbing Event Location 

When a significant disturbance occurs, there will be many 
symptoms such as voltage and frequency oscillations in both 
time and space. The perturbation will travel throughout the 
grid II2TII . Therefore, the distributed monitoring devices can 
capture the variance of the measurements and send these 
data to the monitoring system server or exchange with its 
neighbors. The event time and location can be deduced from 
the time stamps with these measurements. After receiving 
the measurements from these monitoring devices, the servers 
need to decide the hypocenter of the event, which is typi- 
cally marked as the wave front arrival time [|3]. By aligning 
these measurements according to their time stamps, the event 
arriving time on each monitoring device can be attained. 
Consequently, the disturbing event location can be deduced 
by triangulation, which is illustrated in Figure [16] when there 
are four PMUs for the event locationing. The disturbing event 




Fig. 16: Illustration of regional disturbing event location 

location can be derived from solving the following equations 
when four PMUs are involved 

r (xi-Xe)2 + (yi-ye)2-K'(il-ie)2 



{X2 - XeY + (2/2 
{X3 - Xe)'^ + (2/3 
^ {X4 - Xe)"^ + {y4 



ye? 
ye? 
ye? 



= 

te? = 

te? = 

te? = 0, 



when ti^i = 1,2,3,4 is the disturbing event arrival time to 
the i-th PMU, {xi^yi) and (xe^Ve) are the coordinates of the 
i-th PMU and the disturbing event location, respectively; Ve is 
the event propagation speed in the power grid network. Since 
the coordinates and the arrival time of each PMU are known, 
Newtion's method can be applied to solve these equations to 
attain the event location and time. Since the sampling is trigged 
by the GPS receiving signal, a forged GPS time signal can 
control the sampling in a wrong time and provide wrong time 
stamps for the measurements. 

B. Analysis of Impact 

The principle to obtain the event location coordination 
and the event time is the TOA algorithm. Since the event 



monitoring devices in power network are allocated far away 
from each other, it is difficult to launch cooperative TSA. In 
this paper, we analyze the scenario of a single TSA attacker 
to the system. We assume that PMU-1 is suffering form TSA, 
and the arrival time of PMU-1 is modified as 



(44) 

where is the true arrival time of PMU-1, and At is the time 
error due to the TSA. We set {xi ,yi) as the origin of the trans- 
form coordinate for simplicity of analysis [|24l . We also set 
(^2,^2) and (x3,?/3) as (a,0) and (6, c) in the transform co- 
ordinates, respectively, where a = \/(x7^^^2)^^r^^r^-^2P, 
and h and c can be easily changed into the new coordinates 
by using the follow equations: 

^ = (x3 - xi) cosa + (?/3 - ^1) sina (45) 
c = — (x3 — xi) sina + (?/3 — cosa, (46) 



where 



« = tan-i^i^). (47) 

\X2 -XiJ 

We define /c^ = x^ + y^, where {x'^^y'^) is the transformed 
coordinate for the event location. Similarly to the analysis in 
II24II . we define two pseudo-ranges L = (^2 — and R = 
(^3 — ti)Ve. It is easy to obtain the close form of the solution, 
which is given by 

= A^Bk (48) 



where 



Ve 



A = 



C^Dk, 



B 



C = 



D = 



2a 



b^^c^- 2bA - 

2c 
R^bB 



(49) 

(50) 
(51) 
(52) 
(53) 



It is easy to transform the coordinate of the event location into 
the original coordinate, which is given by 



Xe = Xg COS a — sin a + xi 



Ve 



sm a — y^ cos a-\- yi. 



(54) 
(55) 



Since TSA only affects PMU-1, we analyze how ti affects the 
location error. The partial derivatives x'^ and y'^ with respect 
to ti are given by (l56l) and (l57l) . 

The parameter N, M, and P can further expressed as: 



N 
M 
P 



AB^CD 
5^ + - 1 
A^^C\ 



(58) 
(59) 
(60) 



After obtaining the partial differentiation in the transform 
coordinate, it is easy to obtain the partial differentiations in 
the original coordinate, which are given by 

dx 

^ = 6x{tl) cosa — Sy{tl) sina (61) 



dti 
dye 
dti 



= Sx{tl) s'ma -\- Sy{tl) cosa 



(62) 
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8x{tl) 



dXe_ 

dti 

, ^^-{AV^Ia - BLVJa + C/c{Ve - hVJa) + DV^{-hL/ac + R/c)) 

(B2 + D2-l)2 

^^ANVe{A/a + LB /a + C/c(l - b/a) + D{-bL/{ac) + R/c)) 
^JdM , 

4(^2 + £)2 _ l)2y/iV2 -4MP 

, ^^MVe{AL/a + C{-bL/ac + R/c)) + PVe{B/a + D/c{l - b/a)) 

4(^2 + 1)2 _ l)2y'7V2 -4MP 

-hBVe{B/a + L>/c(l - ± -^MP), (56) 



dti 

— {R-bL/a+{l-b/a)k) 

-{AVe/a - BLVe/a + C/c(T4 - &T4/ffl) + DVe{-bL/ac+ R/c)) 

^ (B2 + D2 - 1)2 

ANVe{A/a + Lg/g + C/c(l - b/a) + D{-bL/{ac) + i?/c)) 
^ 4(B2 + Z)2 _ 1)2 ^jv2 - aWP 

MVe{AL/a + C{-bL/ac + R/c)) + PVe{B/a + D/c{l - b/a)) 

nZoU , : 

4(^2 + 1)2 _ l)2y'7V2 -4MP 

+We(P/a + L>/c(l - b/a)){N ± ^N^ -4.MP), (57) 



C. Simulation Results 

For the disturbing event location, the sampHng is trigged 
by the GPS time signal as illustrated in Figure [T] A forged 
GPS time signal can control the sampling in a wrong time 
or provide a wrong time stamp for the measurements. The 
simulation illustrating the impact on the event location is 
shown in Figure [TTl It is observed that, with one PMU under 
TSA, the estimation of disturbing event will be far away from 
the true position (the event happening in Mississippi is misled 
to Tennessee). 




Fig. 17: Simulation of TSA on disturbing event location 
Based on the analytical results, we simulate the location 



error with different At, which is given by Figure [TSl It is 
observed that the location error caused by TSA is nonlinear. 




-10 -5 5 10 

At (second) 



Fig. 18: Location error under various At 



VI. Conclusion 

In this paper, we have identified the GPS spoofing based 
TSA in power grids. The time stamps are modified by the 
forged GPS signal, and the measurements with time stamps 
will be corrupted by TSA. For several scenarios, the impacts 
of TSA have been studied. For the transmission line fault 
detection and location, TSA can not only deteriorate the 
performance of fault location, but also increase the false alarm 
probability with some fault indicators. For the voltage stability 
monitoring, TSA can exaggerate the power margin and result 
in delaying or disabling the voltage instability alarm. It has 
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also been demonstrated that the TSA can significantly damage 
the event location in power grid. 
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